Mobile Computing Device feature Threats, Vulnerabilities and feature Risk Factors Are Ubiquitous

Mobile computing devices (i.e., , tablets security-specific features, and avoiding supply and smart phones) can cause serious harm to chains that provide compromised or unsecure Do you have organizations and to device owners, their friends and mobile devices. something families, because mobile devices are far less secure to say about than desktops and laptops. The Verizon 2015 Data If a has an attachment to read credit this article? 1 Breach Investigations Report states that there are cards, it, too, can be compromised by a technique Visit the Journal 4 tens of millions of mobile devices. And, according known as skimming. A can perform pages of the ISACA to Statista,2 there will be 4.77 billion surveillance via its audio, camera and Global web site (www.isaca. users in 2017 and 1.15 billion tablets in use in Positioning System (GPS) capabilities, as well as org/journal),find the 2016.3 As the number of mobile computing devices recording call logs, contact information and Short article and click on increases, so do concerns. There Message Service (SMS) messages. Mobile the Comments link to are already many existing and new threats related to devices can cause financial problems because, share your thoughts. mobile devices. if compromised, they can send premium SMS messages, steal transaction authentication numbers, This article discusses the actors, threats, allow extortion via ransomware and make expensive vulnerabilities and risk associated with mobile calls without the device owner’s knowledge. A computing devices and highlights the device can even be hijacked and turned into a pervasiveness of security and privacy problems distributed denial-of-service (DDoS) bot, making it and issues. harder for organizations to detect and prevent such DDoS attempts. Actors App-based threats include , spyware, The actors (aka threat vectors) include the device itself, vulnerable apps, compromised apps and data/ the applications (apps) on the device, compromised information leakage due to poor programming web sites, data connections, other users and practices. The types of app attacks include: organizations, the organization to which the device Larry G. user belongs, and the service providers. • Disabling or circumventing security settings Wlosinski, CISA, CISM, CRISC, CAP, • Unlocking or modifying device features Mobile Computing Device Threats CBCP, CCSP, CDP, • Apps that were obtained (free or purchased), but CISSP, ITIL v3 Newly purchased mobile devices can be configured contained malicious code Is a senior associate insecurely. Devices can contain the original at the Veris Group LLC vulnerable (OS) that has not Examples of malware capabilities include: and has more than 16 been updated to eliminate known vulnerabilities. years of experience in • Listening to actual phone calls as they happen IT security. Wlosinski If a device does not require some type of access has been a speaker controls such as a personal identification number • Secretly reading SMS texts, capturing call logs on a variety of IT (PIN) or fingerprint, it is ripe for unauthorized use and emails security topics at by anyone who has access to it. There are many US government • Listening to the phone surroundings (device is types of malware that can provide people with and professional used as a remote bugging device) malicious intent the ability to obtain sensitive data conferences and stored on a device. Protecting data can be more • Viewing the phone’s GPS location meetings, and has of a problem if one makes the mistake of loading written numerous • Forwarding all email correspondence to articles for professional sensitive organizational information on it. Users need another inbox magazines and to be aware that they are responsible for protecting newspapers. the device, preventing physical tampering, setting • Remotely controlling all phone functions via SMS

ISACA JOURNAL VOL 4 1 • Accepting or rejecting communication based on • Exploiting Social Media Accounts—Using Enjoying predetermined lists shortened malicious web site names (to describe one example) this article? • Evading detection during operation Your own organization’s network infrastructure can • Read Security A compromised web site can be a danger to be a threat. Used maliciously, a wireless network can Mobile Devices everyone’s information. It can be the source of pose threats such as: Using COBIT® 5 phishing scams, drive-by downloads of malware and for Information browser exploits. Wi-Fi via free hotspots can provide • Providing a means for unauthorized access Security. criminals the means to obtain banking access and • Permitting or promoting the installation of malware www.isaca.org/ financial account information. These web sites securing-mobile- can be used to obtain personal data about device • Permitting the loss of data integrity of the system devices owners, their families and friends, and the places and associated databases they work. Vulnerabilities to avoid include keeping • Spreading compromised apps • Learn more about, a Wi-Fi connection enabled at all times, not using discuss and or enabling a device firewall, browsing unencrypted • Acting as the source of insecure coding collaborate on web sites, failing to update security software, and • Permitting eavesdropping, data interception, voice/ mobile computing not securing home Wi-Fi. in the Knowledge data collection, drive-by downloads, location Center. tracking (via GPS) and behavior tracking Data communications via a personal or company www.isaca.org/topic- network can also be a nonsecure means of mobile-computing An Internet service provider (ISP) can also be communications. The communication problems a threat to individuals and organizations. The include video, audio and data that can be collected ISP gathers and stores device location; device over the air by an insecure network. There are many ownership information; application usage behavior; types of network exploits including Wi-Fi sniffing, email routing/forwarding information; information manipulation of data in transit, data exposure about purchased music, movies, TV shows, apps through radio frequency (RF) emission, connection and books; and sensitive internal reports. All of this to an untrusted service, signal jamming and flooding, information can be stored in the cloud for years. and monitoring a GPS/geolocation. All of these threats need to be avoided. Other information that can be kept in the cloud for a long time includes: photos and videos; personal User-based threats include: social engineering, contact information, calendar events, reminders inadvertently (or intentionally) releasing classified and notes; device settings; application data; Adobe information, theft and/or misuse of device and app PDFs; books added to an order list; call history; services, and malicious insiders who steal devices home screen and application organization; text for their own purposes or for someone else. and email messages; ringtones; home system security settings (HomeKit5 data ); personal health Social engineering can be accomplished by: information (HealthKit6 data ); and voicemail.

• Phishing—Masquerading as a trustworthy entity Vulnerabilities • Vishing—Tricking a victim into calling a phone Mobile computing device vulnerabilities exist in number and revealing sensitive information the device itself, the wireless connection, a user’s • Smishing—Tricking someone via messaging into personal practices, the organization’s infrastructure downloading malware onto their mobile device and wireless peripherals (e.g., printers, keyboard,

2 ISACA JOURNAL VOL 4 mouse), which contain software, an OS and a data sensitive correspondence. The lack of encrypted storage device. communication can allow malware to access the network and propagate Trojans and viruses throughout If not secured by encryption, wireless networks the organization. More serious is the fact that it can often pass sensitive information in the clear that allow intrusion into the enterprise, which can then can do harm to individuals and/or organizations. compromise the entire organization. Remember that Unintentionally released sensitive data can not a VPN connection requires authentication—a critical only affect the organization’s reputation and the protective control—to permit network access. lives of those affected, but can also be the cause of legal action. Wireless communications can carry and install malware on any computing device configured to receive it. This malware can cause If not secured by encryption, data corruption, data leakage, and the unavailability of services and functionality. Personal privacy can wireless networks often pass also be affected if the audio (e.g., ) and video/picture communication (e.g., device camera) sensitive information in the clear are intercepted and used with malicious intent. The that can do harm to individuals wireless protection provided by an organization will work only if a user is in the organization’s network and/or organizations. perimeter where the security controls are in place.

Unencrypted organization, customer and employee information stored on the computing device can Application Vulnerabilities inadvertently be made available to others if someone Other vulnerable components of the mobile intercepts it while in transit or if the device is stolen computing device environment are the apps loaded (and no access controls are in place). It is not on it. Each application can contain a vulnerability difficult to intercept wireless communications traffic that is susceptible to exploitation. The apps on because there are free tools available on the Internet the mobile device can have a variety of to help hackers do this. vulnerabilities including:

In this age of wireless technology, many roles • Incorrect permission settings that allow access to (e.g., doctors, medical support staff, retail and controlled functionality such as the camera or GPS wholesale inventory personnel, registration support • Exposed internal communications protocols that staff) depend on mobile computing devices to pass messages internally within the device to itself efficiently capture and transmit data. The users of or to other applications these devices rely on them for their productivity and livelihood. In many cases, the information • Potentially dangerous functionality that accesses is sensitive to the organization and, if it is the resources or the user’s personal information employee- or customer-related, it can be personal via internal program data calls or hard-coded and privacy-related (i.e., personally identifiable instructions information [PII]). • Application collusion, where two or more applications pass information to each other to If one’s organization does not have a wireless increase the capabilities of one or both applications encryption program (i.e., virtual private network [VPN]) in place, then mobile devices may • Obfuscation, where functionality or processing interact with personal devices’ email and obtain capabilities are hidden or obscured from the user

ISACA JOURNAL VOL 4 3 emails, email addresses and attached data (if the security safeguards are insufficient); loss, theft or damage of the device; use of the device as a proxy to establish a virtual connection from an attacker to an internal network; data loss/leakage due to the small size and portability; fraud enabled by remote access or copying mass amounts of sensitive data; spam causing disruption and driving up service costs if targeted toward mobile devices; and malformed SMS messages causing devices to crash.

Conclusion

Each day, mobile device attack vectors are continuously undergoing dynamic changes, and it is difficult to represent a complete set of the threats and vulnerabilities. With the development of mobile computing devices that can be carried in a pocket or a duffle bag comes the responsibility to protect those devices and the data within them. Being aware is only the first step in the fight to protect the data.

References • Excessive power consumption of applications Lookout, “What Is a Mobile Device Threat?,” running continuously in the background, which drain https://www.lookout.com/resources/know-your- the battery, thereby reducing system availability mobile/what-is-a-mobile-threat • Traditional software vulnerabilities such as Security Guide, infographic, insufficient editing of data entered, Structured http://autosend.io/mobile-app-security-guide/ Query Language (SQL) query exploitation and poor Wysopal, C.; “Mobile App Top 10 List,” Veracode, programming practices 13 December 2010, www.veracode.com/ • Privacy weaknesses in configuration settings blog/2010/12/mobile-app-top-10-list that allow access to the application’s sensitive European Union Agency for Network and Information information (e.g., contacts, calendar information, Security, “Top 10 Smartphone Risks,” https://www. user tasks, personal reminders, photographs, enisa.europa.eu/activities/Resilience-and-CIIP/ Bluetooth access) critical-applications/smartphone-security-1/top-ten- risks?_ga=1.234877470.1254580284.1439215552 Risk Quirolgico, S.; J. Voas; T. Karygiannis; C. Michael; The most common risk factors that apply to using K. Scarfone; Vetting the Security of Mobile Applications, Special Publication 800-163, National mobile devices are: computer viruses, worms or Institute of Standards and Technology (NIST) other personal computing device-specific malware; USA, 2015, http://nvlpubs.nist.gov/nistpubs/ theft of sensitive data; exposure of critical information SpecialPublications/NIST.SP.800-163.pdf through wireless sniffers; wireless intruders capturing

4 ISACA JOURNAL VOL 4 Althuser, J.; “7 Ways Hackers Can Use Wi-Fi Against Endnotes You,” CSO, 9 November 2015, www.csoonline.com/ article/3003220/mobile-security/7-ways-hackers- 1 Verizon, 2015 Data Breach Investigations Report, can-use-wi-fi-against-you.html 15 April 2015, www.verizonenterprise.com/ Apperian, “Mobile App Security,” https://www. DBIR/2015/ apperian.com/mobile-application-management/ 2 Statista, “Number of Mobile Phone Users mobile-app-security/ Worldwide From 2013 to 2019 (in Billions),” 2016, www.statista.com/statistics/274774/ ISACA, Securing Mobile Devices, USA, 2010, forecast-of-mobile-phone-users-worldwide/ www.isaca.org/Knowledge-Center/Research/ 3 Statista, “Number of Tablet Users Worldwide ResearchDeliverables/Pages/Securing-Mobile- From 2013 to 2019 (in Billions),” 2016, Devices-Using-COBIT-5-for-Information-Security.aspx www.statista.com/statistics/377977/tablet- Milligan, P. M.; D. Hutcheson; “Business Risks users-worldwide-forecast/ and Security Assessment for Mobile Devices,” 4 Skimming is the capturing of credit card ISACA® Journal, vol. 1, 2008 information using a card reader that records and stores the user’s card information. Absolute, US Mobile Device Security Survey Report 5 Apple, HomeKit, www.apple.com/ios/ 2015, https://www.absolute.com/en/resources/ homekit/?cid=wwa-us-kwm-features whitepapers/mobile-device-security-survey-report-us 6 HealthKit, https://www.healthkit.com/

ISACA JOURNAL VOL 4 5